SUSE has issued an advisory on May 4: https://lists.suse.com/pipermail/sle-security-updates/2023-May/014722.html The issue is fixed upstream in 0.30.3: https://github.com/commonmark/cmark/releases/tag/0.30.3
Status comment: (none) => Fixed upstream in 0.30.3
Updated package built for Mageia 8 Advisory: ======================== Patched cmark package fixes security vulnerability: It was discovered that cmark incorrectly handled certain inputs. Fixes quadratic complexity in handle_close_bracket "![[]()" which may lead to a denial of service (CVE-2023-22486). Noting that this also fixes a quadratic parsing issue with repeated <!-- that was not in a released product but which was assigned a CVE (CVE-2023-22484). References: https://lists.suse.com/pipermail/sle-security-updates/2023-May/014722.html https://github.com/commonmark/cmark/releases/tag/0.30.3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22486 ======================== Updated packages in core/updates_testing: ======================== cmark-0.30.3-1.mga8.x86_64.rpm lib64cmark0-0.30.3-1.mga8.x86_64.rpm lib64cmark-devel-0.30.3-1.mga8.x86_64.rpm from cmark-0.30.3-1.mga8.src.rpm
Assignee: mhrambo3501 => qa-bugsCVE: (none) => CVE-2023-22486
Status comment: Fixed upstream in 0.30.3 => (none)CC: (none) => mhrambo3501
MGA8-64 MATE on Acer Aspire 5253 No installation issues. No wiki, no previous updates, so looking for info. From MCC: " It also provides a command-line program (`cmark`) for parsing and rendering CommonMark documents." Googling around what mightt be a "CommonMark document", didn't get any wiser. Played with the command: $ cmark --version cmark 0.30.3 - CommonMark converter (C) 2014-2016 John MacFarlane $ cmark --help Usage: cmark [FILE*] Options: --to, -t FORMAT Specify output format (html, xml, man, commonmark, latex) --width WIDTH Specify wrap width (default 0 = nowrap) --sourcepos Include source position attribute --hardbreaks Treat newlines as hard line breaks --nobreaks Render soft line breaks as spaces --safe Omit raw HTML and dangerous URLs --unsafe Render raw HTML and dangerous URLs --smart Use smart punctuation --validate-utf8 Replace invalid UTF-8 sequences with U+FFFD --help, -h Print usage information --version Print version I will not object the OK if someone decides this is sufficient.
CC: (none) => herman.viaene
Neochat requires the library but deals with matters a little outside our purview: "NeoChat is a client for Matrix, the decentralized communication protocol for instant messaging." mkvtoolnix-gui also needs the library. That has something to do with multiplexing in the context of building matroska files (MKV container files) which is rather too specialised for us. Apart from following the tutorial for cmark and attempting to build an HTML document containing markdown directives there is not much we can do with this IMHO. Might have a go at that sometime. The packages update cleanly so I agree with Herman.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validated. Advisory in comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0181.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 31945
Hi, today, MGA8 update ask to remove mkvtoolnix-gui, after i canot install it back : urpmi mkvtoolnix-gui Le paquetage suivant ne peut pas être installé, car il dépend de paquetage qui sont plus anciens que la version installée : mkvtoolnix-gui-49.0.0-3.mga8
CC: (none) => surfzoid
Fix is in progress. See bug 31945